News Update Financial Regulatory

In this News Update we discuss: use of artificial intelligence (AI) by insurance undertakings and insurance intermediaries – EIOPA's draft Opinion; expansion of outsourcing rules – consultation on Financial Markets Amendment Decree 2026; and capital requirements for credit institutions in connection with crypto-assets exposures.

We further highlight some other financial regulatory publications issued since our last News Update. 

Use of artificial intelligence (AI) by insurance undertakings and insurance intermediaries – EIOPA's draft Opinion

On 10 February 2025, the European Insurance and Occupational Pensions Authority (EIOPA) published – for consultation – its draft Opinion on the use of AI by insurance undertakings and insurance intermediaries. Market participants have until 12 May 2025 to respond to this consultation, using this survey.

This opinion, although aimed at national competent authorities such as the Dutch Authority for the Financial Markets (AFM) and De Nederlandsche Bank (DNB), provides valuable insights for parties considering or using AI in relation to insurance business. The annexes to the opinion contain tools which insurance undertakings can use to document their use of AI and assess inherent risks.

EIOPA points out that AI as defined in Regulation (EU) 2024/1689 (the AI Act) is expected to play a pivotal role in the ongoing digital transformation in the insurance sector, where there is a trend towards the increasing use of AI systems throughout the insurance value chain. AI may result in faster automated claims handling, improved risk assessments and reduced customer fraud. On the other hand, AI may increase risks due to the limited explainability of certain AI systems and biased or even discriminatory outcomes.

The AI Act classifies AI systems into four categories according to their risk level: prohibited, high risk, limited risk and minimal risk. In case of natural persons covered under life and health insurance, the AI Act qualifies the use of AI systems for risk assessment and pricing as a high risk activity. The use thereof is subject to specific governance and risk management requirements.

The use of other AI systems for insurance products, unless prohibited under the AI Act, is governed by the relevant requirements set out in existing sectoral EU legislation, including Article 41 (governance) of the Solvency II Directive (Directive 2009/138/EC), Article 17 (fair treatment of customers) of the Insurance Distribution Directive (Directive (EU) 2016/97, IDD), Article 25 (product approval process) of the IDD, and Articles 5 and 6 (internal governance and risk management frameworks) of the Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA).

As a starting point, EIOPA points out that limited or minimal risk AI use cases can involve varying levels of risks. Governance and risk management measures need to be adequate and proportionate in relation to the use case in question. Impact assessments need to consider:

• whether large-scale data processing occurs;
• whether AI systems can act autonomously; and
• what adverse impact AI systems could have on the right to non-discrimination.

Further, relevant aspects include the extent to which AI systems are used:

• in a business line which is important for the financial inclusion of customers or compulsory by law;
• for critical activities that can impact the business continuity of an insurance undertaking; and
• in a manner that can impact the financial position of an insurance undertaking.

Based on this impact assessment, undertakings need to formulate appropriate and proportionate governance and risk management measures ensuring the responsible use of AI systems. These should address the following aspects:

• fairness and ethics;
• data governance;
• documentation/record keeping;
• transparency and explainability;
• human oversight; and
• accuracy and cyber resilience.

The opinion addresses each of these aspects in more detail. The level of safeguards applied has to be tailored to the specific risks associated with an AI system and its use case. Further, undertakings need to embed their approach to AI use in their relevant policy documents, and also address responsibility, accountability and human oversight. In addition, staff require access to adequate training and should be informed of the applicable approach and policies.

Expansion of outsourcing rules – consultation on Financial Markets Amendment Decree 2026

On 23 January 2025, the Dutch legislature launched a consultation (in Dutch) where market participants can respond to the draft Financial Markets Amendment Decree 2026 (in Dutch) (Wijzigingsbesluit financiële markten 2026, the Amendment Decree). The Amendment Decree serves to add two new articles to the Market Conduct Supervision (Financial Institutions) Decree (Besluit gedragstoezicht financiële ondernemingen Wft, the Market Conduct Supervision Decree), specifically Articles 38l and 38m. These articles will considerably expand the outsourcing rules for providers of investment objects (aanbieders van beleggingsobjecten), credit providers (kredietaanbieders), intermediaries (bemiddelaars), advisers (adviseurs), and authorised and subauthorised agents ((onder)gevolmachtigd agenten) (hereinafter: financial service providers). The outsourcing rules and the AFM outsourcing guidelines for financial service providers are currently very limited. The new rules cover the following.

Outsourcing – framework and need for legislative amendment

In the Amendment Decree, the legislature briefly explains that the outsourcing of work by (among others) financial service providers can fall within the definition of outsourcing referred to in Article 1:1 of the Financial Supervision Act (Wet op het financieel toezicht). This essentially means having third parties perform work that is part of or ensues from the provision of financial services, or that is part of the essential business processes that support these services. Financial service providers that outsource work remain responsible for compliance with the Financial Supervision Act.

In 2020, the AFM sent a request for information to financial service providers to gain insight into the prevention of outsourcing risks and how and to what extent financial service providers manage these risks. The survey revealed that in 11% of the cases, no written agreement had been concluded with the third party, and that in a staggering 70% of the cases, the risks associated with outsourcing had not been identified.

Register

Under the new Article 38l(1) of the Market Conduct Supervision Decree, the financial service providers must keep a register of information on all work outsourced and the parties to which they outsource that work. This means that the financial service providers must clearly identify the parties that perform work for them qualifying as outsourcing. The legislature clarifies that these also include financial service providers' group companies to which work is outsourced.

Written Agreement

The second and third paragraphs of the new Article 38l of the Market Conduct Supervision Decree require financial service providers to conclude written agreements with third parties to which work is outsourced. These agreements must lay down at least the following:

• the rights and obligations of the financial service provider and the third party to which the work has been outsourced;
• the mutual information exchange, including arrangements on the provision of information requested by supervisory authorities in implementation of their statutory duties (for example, information about incidents, which the financial service provider must report to the AFM);
• the option for financial service providers to change at any time the manner in which the third party is to perform the work (for example, following an instruction or order from the AFM);
• the third party's obligation to enable the financial service provider to consistently comply with the law;
• how continuity of operations is ensured for the financial service provider;
• how the security of automated processes is ensured and incidents are reported to the financial service provider; and
• how the agreement will be terminated and what is done to ensure that the financial service provider can resume the work or outsource it to another third party after termination of the agreement.
  
  

Expertise and due care

In addition, the new Article 38l(4) of the Market Conduct Supervision Decree requires financial service providers to ensure that they have the necessary expertise and exercise due care and vigilance when concluding, managing or terminating any agreements with third parties. This entails that financial service providers must investigate a third party's suitability before outsourcing any work to this third party. The final paragraph of the new Article 38l of the Market Conduct Supervision Decree emphasises the responsibility of the financial service provider to ensure the necessary expertise, by setting it as a condition for effective (continuous) supervision of outsourced activities.

AFM notification requirement for insurers

Finally, the new Article 38m of the Market Conduct Supervision Decree provides that insurers intending to outsource work falling within the scope of the Market Conduct Supervision Part of the Financial Supervision Act must notify the AFM accordingly. This could be, for example, work that an insurer outsources to an authorised agent.

Entry into force

The Amendment Decree published by the legislature is still only a draft. The consultation round runs up to and including 7 March 2025. If the Amendment Decree is passed in its current form, it will most likely enter into force at the beginning of 2026.

Capital requirements for credit institutions in connection with crypto-assets exposures

On 8 January 2025, the European Banking Authority (EBA) launched a consultation round on the draft regulatory technical standards (RTS) on the prudential treatment of crypto-assets exposures under the EU Capital Requirements Regulation (Regulation (EU) 2024/1623, CRR 3). CRR 3 contains a transitional regime for the prudential treatment of crypto-assets exposures, which has been applicable to credit institutions since 9 July 2024. The EBA has now published the relevant technical standards to implement that transitional regime. Meanwhile, the European Union is working on a new regulatory framework to ensure that credit institutions engaged in crypto activities can withstand crypto-asset volatility. This regulatory framework will eventually replace the transitional regime. The European Union has until 30 June 2025 to develop that new framework.

The purpose of the technical standards now published is to offer credit institutions exposed to crypto-assets a consistent and uniform guideline to enable them to keep sufficient capital to absorb any risks and losses caused by crypto-assets exposures. This is particularly important given the high volatility and specific risks inherent in crypto-assets.

The proposed standards address a wide range of subjects, including the calculation of credit risk, market risk (MR) and counterparty credit risk (CCR) and the capital requirements in relation to exposures to various types of crypto-assets, such as electronic money tokens (EMTs), asset-referenced tokens (ARTs) that reference traditional assets, and other crypto-assets, such as unbacked crypto-assets (Bitcoin, for example). These other crypto-assets in particular will be subject to a total exposure limit. In addition, the RTS include reporting and disclosure requirements for crypto-assets exposures and related activities.

The RTS furthermore address technical elements such as the use of netting, aggregating of short and long positions in crypto-assets and the formulas relevant for calculating the exposure value of crypto-assets for the CCR and MR treatment.

The EBA aims to use the consultation to create a harmonised approach within the EU, which will strengthen the stability of the financial system. It is a major step towards regulation of the fast-growing crypto market. The deadline for market participants to submit their comments to the draft technical standards is 8 April 2025.

Other financial regulatory publications

We have highlighted a selection of other publications by legislatures and regulators for the financial markets and financial supervision since our February 2025 News Update.

AFM

• On 7 February 2025, the AFM published points of attention for prospectuses in 2025. The EU Listing Act (Regulation (EU) 2024/2809) will bring significant changes to prospectus regulation. These changes will be implemented in three phases, the first of which came into effect on 4 December 2024.

DNB

• On 3 February 2025, DNB published the new suitability matrix for fit and proper assessments, which aligns with the updated 2012 Suitability Policy Rule (Beleidsregel geschiktheid 2012) from 2023.
• On 11 February 2025, DNB launched a consultation round (in Dutch) for its new Guide on Climate-Related and Environmental Risk Management (Gids voor de beheersing van klimaat- en milieurisico's) for insurers, electronic money institutions, payment institutions, investment firms, investment institutions and pension funds.
• On 18 February 2025, DNB published a news item on the Instant Payments Regulation (Regulation (EU) 2024/886), which entered into force on 8 April 2024. This Regulation aims to promote the use of instant credit transfers and to make instant credit transfers in euro available to citizens, businesses and institutions holding a payment account in the EU or the EEA. DNB indicates that from 9 April 2025, payment service providers must inform DNB on their share of rejections – for national as well as cross-border instant credit transfers – by applying targeted financial restriction measures. In view of the EBA's publication of the final draft Implementing Technical Standards, this date will probably be postponed by 12 months.

EBA

• On 5 February 2025, the EBA issued an Opinion in response to the European Commission's proposed amendments to the EBA draft RTS on conflicts of interests for issuers of ARTs. ARTs are crypto-assets that reference to traditional assets, such as currencies or securities, and are a strictly regulated type of 'stablecoin'. These draft RTS specify the requirements for the mandatory policy documentation on conflicts of interest for ART issuers under the Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114, MiCAR) and the minimum contents of conflict of interest disclosures. In developing the draft RTS, the EBA took into account recent governance failures in crypto-asset markets, which primarily ensued from conflicts of interest.
• On 11 February 2025, the EBA published its Final Report on guidelines amending Guidelines EBA/GL/2019/04 on ICT and security risk management. This report aligns the scope of the existing Guidelines on ICT and security risk management measures with DORA. The aim is to simplify and clarify the ICT risk management framework.
  
  

ESMA

• On 14 February 2025, the European Securities and Markets Authority (ESMA) published a news item about its launch of a Common Supervisory Action (CSA) with the national competent authorities (NCAs) tasked with supervising undertakings for collective investment in transferable securities (UCITS) management companies and alternative investment fund managers (AIFM). The CSA concerns effective compliance and internal audit functions with adequate staffing, authority, knowledge and expertise. The NCAs will share their findings with ESMA in 2025 and ESMA will publish its report in 2026.
• On 17 February 2025, ESMA launched a consultation round on the criteria for the assessment of knowledge and competence of crypto-asset service providers' staff who give information or advice on crypto-assets or crypto-asset services.
• ESMA published a new edition of its January and February 2025 newsletter. Subjects covered in this issue include: (i) simplification and burden reduction; (ii) guidance on MiCAR best practices; (iii) guidance on non-MiCAR compliant ARTs and EMTs (stablecoins); (iv) the EBA and ESMA analysis of recent developments in crypto-assets; and (v) ESAs' study on the feasibility of further centralisation of major ICT-related incident reporting by financial entities.
  
  

EIOPA

• On 20 February 2025, EIOPA published a Supervisory Statement on the deduction of foreseeable dividends under Solvency II.
  
  

ESAs

• On 18 February 2025, the European Supervisory Authorities (ESAs) published a roadmap for their oversight of critical third-party ICT service providers under DORA.
  
  

Legislature

• On 14 February 2025, the Ministry of Finance launched a consultation (in Dutch) for further steps in the implementation of the Banking Recovery and Resolution Directive (Directive 2014/59/EU), regarding the recovery and resolution framework for failing banks and investment firms. The proposed Act will also amend the Financial Supervision Act. Some improvements are possible to make it easier for the Dutch resolution authority (the Dutch Central Bank, De Nederlandsche Bank) to implement the framework and to align more closely with the text of the Directive.
  
  

If you have any further questions, please do not hesitate to contact Berry van Wijk, Juan Vervuurt, Lisanne Haarman or Gijs Hamelijnck.